Geek Answers Handbook

Using MS Anti XSS Library for HTML Disinfection

In order to prevent XSS attacks, I am updating a page in which we have a text box that accepts HTML, stores it in the database, and retrieves and displays it later.

I understand that I can sanitize HTML using the AntiXSS.GetSafeHtmlFragment() method. As long as I do this before storing the HTML in the database, have I covered? Does anything need to be done when HTML is displayed on a web page?

Also, it seems like the whitelist is a black box. Is there any way to update this based on our requirements?

+6
security xss antixsslibrary
source share
4 answers

You must be installed. Although it is obvious that this will not protect you from anything already in the database.

You can use AntiXSS.GetSafeHtmlFragment() when displaying the page instead of saving. But doing when saving is probably safer. You would not want to do this when rendering and saving.

White list not available.

+4
source share

Regarding your question about the black box: yes, this is a black box, and I understand that you cannot edit it. If you are looking for more detail, check out the AntiSamy.NET project .

+3
source share

In recent 4.x libraries, Anti-XSS GetSafeHtml () and SetSafeHtmlFragment () are in the Sanitizer class in Microsoft.Security.Application, which has been moved to the HtmlSanitizationLibrary assembly.

[Deprecated link: http://www.microsoft.com/en-us/download/details.aspx?id=28589 ] Update: It looks like it has been ported to the NuGet package: https://www.nuget.org/ packages / HtmlSanitizationLibrary /

+3
source share

You are almost there. You must make sure that you select the correct encoding . For example, if user input got into the URL, you would need to use AntiXSS.UrlEncode (), and if it goes into JavaScript, you want to use AntiXSS.JavaScriptEncode (). If you cannot guarantee when you save the input, what the output format will be, it is better to do a scan on the output.

+1
source share

More articles:


All Articles